b'September 8, 2004\nReport No. 04-033\n\n\nDivision of Supervision and Consumer\nProtection\xe2\x80\x99s Assessment of Bank\nManagement\n\n\n\n\n            AUDIT REPORT\n\x0c                                      TABLE OF CONTENTS\nBACKGROUND .................................................................................................................... 1\n\nRESULTS OF AUDIT........................................................................................................... 4\n\nDOMINANT OFFICIAL\xe2\x80\x99S INFLUENCE ON A FINANCIAL INSTITUTION ............ 4\n\nCONCLUSIONS AND RECOMMENDATIONS............................................................... 8\n\nCORPORATION COMMENTS AND OIG EVALUATION............................................ 9\n\nAPPENDIX I: OBJECTIVE, SCOPE, AND METHODOLOGY............................... 11\nAPPENDIX II: DSC\xe2\x80\x99S ASSESSMENT OF MANAGEMENT CONTROL\n               AREAS IN SELECTED BANKS AND RELATED FDIC\n               GUIDANCE............................................................................................ 13\n     Segregation of Duties ............................................................................................... 13\n     Active and Informed Board of Directors\xe2\x80\x99 Oversight............................................ 14\n     Outside/Independent Directors............................................................................... 16\n     External and Internal Audits.................................................................................. 19\n     Code of Conduct and Conflicts of Interest Policies .............................................. 24\n     External and Internal Loan Review....................................................................... 25\n\nAPPENDIX III: ANALYSIS OF THE MANAGEMENT COMPONENT\n              RATING................................................................................................... 28\nAPPENDIX IV: PROFILES OF STATE NONMEMBER BANKS .............................. 29\nAPPENDIX V: CORPORATION COMMENTS .......................................................... 30\nAPPENDIX VI: MANAGEMENT RESPONSE TO RECOMMENDATIONS .......... 32\n\nTABLES\n\nTable 1: CAMELS Component Rating Equals the CAMELS Composite Rating........28\nTable 2: Profiles of State Nonmember Banks Rated a CAMELS Composite \xe2\x80\x9c5\xe2\x80\x9d........29\n\x0c\x0ctotal assets.4 Although other provisions in the Sarbanes-Oxley Act represent sound corporate\ngovernance practices, the provisions are generally not mandatory for smaller, non-public\ninstitutions. However, the FDIC does recommend that each institution consider implementing\nselected provisions of the Sarbanes-Oxley Act commensurate with its size, complexity, and risk\nprofile.\n\nThe failure of senior management, BODs, and auditors to effectively carry out their duties has\ncontributed to recent financial institution failures. Furthermore, a common element we observed\nin many of the failed bank material loss reviews5 is that a dominant bank official had a direct\nimpact on the failure of the bank. The last three bank failures we reviewed were attributed, in\nlarge part, to a dominant official at the bank.6\n\nAccording to the DSC Manual of Examination Policies (DSC Manual), the quality of\nmanagement is probably the single most important element in the successful operation of a bank.\nDSC\xe2\x80\x99s definition of \xe2\x80\x9cmanagement\xe2\x80\x9d includes the BOD, which is elected by the shareholders, and\nexecutive officers, who are appointed to their positions by the BOD.\n\nRegarding dominant bank officials, the DSC Manual states:\n\n         Supervisory authorities are properly concerned about the "One Man Bank"\n         wherein the institution\'s principal officer and stockholder dominates virtually all\n         phases of the bank\'s policies and operations. \xe2\x80\xa6 Over the years, an officer can\n         influence the election of a sufficient number of directors so that the officer is\n         ultimately able to dominate the board and the affairs of the bank.\n\n         There are at least two potential dangers inherent in a "One Man Bank" situation.\n         First, incapacitation of the dominant officer may deprive the bank of competent\n         management, and \xe2\x80\xa6 may render the bank vulnerable to dishonest or incompetent\n         replacement leadership. Second, problem cases resulting from mismanagement of\n         such a bank\'s affairs are more difficult to solve through the normal course of\n         supervisory efforts designed to induce corrective action by the bank.\n\n\n\n\n4\n  Institutions that have $500 million or more in total assets as of the beginning of their fiscal year are subject to the\nannual audit and reporting requirements of Section 36 of the Federal Deposit Insurance Act (FDI Act), as\nimplemented by Part 363 of the FDIC\'s Rules and Regulations (12 Code of Federal Regulations \xc2\xa7 363). Part 363\nstates that each insured depository institution (with $500 million or more in total assets) shall prepare annual\nfinancial statements, in accordance with generally accepted accounting principles, which shall be audited by an\nindependent public accountant.\n5\n  Section 38(k) of the FDI Act, codified to 12, United States Code 1831o, provides that if a deposit insurance fund\nincurs a material loss with respect to an insured depository institution, on or after July 1, 1993, the Inspector General\nof the appropriate federal banking agency shall prepare a report to that agency reviewing the agency\xe2\x80\x99s supervision of\nthe institution. A material loss is defined by Section 38 of the FDI Act, in general, as a loss that exceeds the greater\nof $25 million or 2 percent of the institution\xe2\x80\x99s total assets at the time the FDIC was appointed receiver.\n6\n  From the Office of Inspector General Audit Report No. 04-004, FDIC OIG Material Loss Reviews Conducted\n1993 through 2003, dated January 22, 2004.\n                                                           2\n\x0cDSC has compiled the Management and Internal Control Evaluation Examination\nDocumentation Module (Management ED Module),7 dated November 2003, as an examination\ntool that provides procedural guidelines for examiners to consider in the evaluation of bank\nmanagement. In accordance with Regional Directors Memorandum Guidelines for Examination\nWorkpapers and Discretionary Use of Examination Documentation Modules,8 dated\nSeptember 25, 2001, use of the ED modules is discretionary. However, the memorandum also\nrecognizes that the ED modules are excellent training and reference tools that provide\nconsistency and standardized procedures. The Management ED Module instructs examiners to\nperform a preliminary review of BOD and committee minutes; changes in the bank\xe2\x80\x99s\nmanagement and directorate; and prior examination reports, workpapers, and correspondence.\nThe module also instructs examiners to review the following areas:\n\n             \xe2\x80\xa2   Board and Management Supervision,\n             \xe2\x80\xa2   Control Environment,\n             \xe2\x80\xa2   Risk Assessment,\n             \xe2\x80\xa2   Control Activities,\n             \xe2\x80\xa2   Information and Communication,\n             \xe2\x80\xa2   Monitoring, and\n             \xe2\x80\xa2   Audit and Other Independent Reviews.\n\nExaminers are instructed (1) to complete other ED modules containing specific procedures that\nprovide insight into management and internal controls9 in major risk areas or (2) to evaluate the\nother risk areas prior to assigning an overall assessment of management and internal controls.\nDuring the pre-examination planning process, examiners are also instructed to consider various\nrisk scoping procedures at each examination. However, these procedures do not specifically\ninstruct examiners to identify or consider the presence of a dominant official in the planning of\nexamination procedures.\n\nIn accordance with the DSC Manual, a bank\'s performance with respect to asset quality and\ndiversification, capital adequacy, earnings capacity and trends, and liquidity and funds\nmanagement is, to a very significant extent, a result of decisions made by the bank\'s directors\nand officers. Consequently, examiners\' findings and conclusions in regard to the other five\nelements of the CAMELS rating system are often major determinants of the management rating.\n\n\n\n\n7\n  DSC instructions state, \xe2\x80\x9cThe Examination Modules are an examination tool that focuses on risk management\npractices and guides examiners to establish the appropriate examination scope. The modules incorporate questions\nand points of consideration into examination procedures to specifically address a bank\xe2\x80\x99s risk management strategies\nfor each of its major business activities. The modules direct examiners to consider areas of potential risk and\nassociated risk control practices, thereby facilitating a more effective supervisory program.\xe2\x80\x9d\n8\n  DSC uses 10 primary ED modules that focus examiner attention on risk management practices at banks.\n9\n  The DSC Manual defines internal control as \xe2\x80\x9cthe plan of organization and all coordinate methods and measures\nadopted within the bank to safeguard its assets, check the accuracy and reliability of accounting data, promote\noperational efficiency, and encourage adherence to prescribed managerial policies.\xe2\x80\x9d\n                                                         3\n\x0cThe results of our analysis indicate that the management component rating is more closely linked\nto the overall CAMELS composite rating than the other five component ratings (see\nAppendix III).\n\nRESULTS OF AUDIT\n\nThe process used by DSC examiners to assess bank management and controls during safety and\nsoundness examinations of FDIC-supervised financial institutions is adequate. However, based\non our review of six open banks with composite \xe2\x80\x9c5\xe2\x80\x9d ratings, there are opportunities for\nimproving the regulatory oversight of banks that have a dominant official with significant\ninfluence over bank operations. More specifically, examiner guidance could be strengthened\nwith respect to evaluating the risks imposed by dominant officials and to assessing and\nrecommending mitigating controls when a financial institution has that corporate structure.\nFailure to appropriately evaluate and assess such risks increases the opportunity for fraud or\nmismanagement to go undetected and uncorrected, and as evidenced by prior material loss\nreviews, poor corporate governance can ultimately contribute to the failure of an institution.\n\nWithin the framework of the existing examination procedures, the risks of a dominant official\nshould be considered as a part of the pre-examination planning and scoping process to the extent\nthat this risk is observed at the senior corporate level. The examiners should also consider\nexamination steps that will assist in the evaluation of the level of risk and the quality of\nmitigating controls at the bank. Therefore, we are recommending that DSC establish a\nconsolidated set of instructions to ensure that examiners consider the presence of a dominant\nindividual as a risk factor during the pre-examination review process, ensure examiners evaluate\nspecific aspects of corporate governance when a bank has a dominant official, and provide\nspecific corrective and mitigating actions that examiners may recommend in such circumstances.\n\nDOMINANT OFFICIAL\xe2\x80\x99S INFLUENCE ON A FINANCIAL INSTITUTION\n\nThe six open institutions we reviewed with composite \xe2\x80\x9c5\xe2\x80\x9d ratings have critically deteriorated\nunder the influence of a dominant official such as a bank president, chief executive officer\n(CEO), or board chairman. Based on the definition of a \xe2\x80\x9c5\xe2\x80\x9d rated institution, these banks pose a\nsignificant risk to the deposit insurance fund, and failure is highly probable. Although DSC has\nestablished guidance on the various areas discussed in this report, the guidance is not\nconsolidated into a comprehensive set of instructions for examiners on how to identify, assess,\nand control/mitigate risk posed by a bank with a dominant official and to expand examination\nprocedures, when appropriate. The lack of such instructions may have contributed to examiners\nnot adequately identifying and assessing the risks associated with a dominant official or\nrecommending mitigating controls in a timely or effective manner at the six banks we reviewed.\n\n\n\n\n                                                4\n\x0cDominant Official as a Risk Factor\n\nWe determined that each of the six banks had a similar risk element in its corporate governance\nstructure, that is, the bank was controlled by a dominant official. In considering control of a\nbank by a dominant official as a risk factor, we identified, at a minimum, six potential areas of\ncontrol that examiners should evaluate to determine the degree of control by a dominant official\nand to determine the need for recommendations to improve the overall control structure. The six\npotential areas of control and associated weaknesses we identified in DSC\xe2\x80\x99s examinations of the\ninstitutions we reviewed follow:\n\n        \xe2\x80\xa2    Segregation of Duties10 \xe2\x80\x93 Examiners did not identify an inadequate segregation of\n             duties and did not recommend that key duties and responsibilities be divided among\n             various individuals.\n\n        \xe2\x80\xa2    Active and Informed BOD Oversight \xe2\x80\x93 Examiners did not always identify an\n             inactive and/or uninformed BOD until the bank\xe2\x80\x99s financial condition significantly\n             deteriorated. In some cases, when earlier detection of these deficiencies was noted,\n             examiners were unable to sufficiently persuade bank management to improve the\n             control environment.\n\n        \xe2\x80\xa2    Outside/Independent Directors \xe2\x80\x93 Examiners did not always identify the need for\n             and assess the role of outside/independent directors.\n\n        \xe2\x80\xa2    External and Internal Audits \xe2\x80\x93 Examiners did not always provide a discussion or\n             analysis of the need for an annual financial audit,11 adequacy of internal audit\n             personnel and related functions, or rationale for changes in external auditors, even\n             though weaknesses were identified.\n\n        \xe2\x80\xa2    Code of Conduct and Conflicts of Interest Policies \xe2\x80\x93 Examiners\xe2\x80\x99 reviews of the\n             banks\xe2\x80\x99 code of conduct and conflicts of interest policies were inconsistent. Although\n             some of the banks had established policies, significant conflicts and apparent\n             violations were evident.\n\n        \xe2\x80\xa2    External and Internal Loan Review \xe2\x80\x93 Examiners generally recognized the absence\n             or inadequacies of the banks\xe2\x80\x99 loan review programs; however, sufficient and timely\n             actions were not taken to substantially improve the loan oversight process.\n\nAlthough each of these control areas is addressed, to some degree, in various DSC policies and\nprocedures, the guidance does not address these issues in the context of banks that are controlled\nby a dominant official. Nor does the guidance provide examiners with instruction on how to\n\n10\n   The DSC Manual describes a segregation of duties as a function in which \xe2\x80\x9cThe participation of two or more\npersons or departments in a transaction causes the work of one to serve as proof for the accuracy of another.\xe2\x80\x9d\n11\n   The Dictionary of Accounting Terms defines a financial audit as an examination of a client\xe2\x80\x99s accounting records\nby an independent certified public accountant to formulate an audit opinion. The auditor must follow generally\naccepted auditing procedures.\n                                                         5\n\x0c(1) identify and consider a dominant official during the pre-examination scoping process,\n(2) review these areas in the overall assessment of management, (3) identify and assess other\npossible mitigating controls, and (4) develop and recommend alternative courses of action to\nmitigate the risk from a dominant official. Therefore, we are providing specific areas of\nconsideration that examiners should use in assessing a bank\xe2\x80\x99s control environment and in\nrecommending improvements to a bank\xe2\x80\x99s control structure when a dominant official is present.\nThese specific areas of consideration should be incorporated into a comprehensive set of\ninstructions that provides examiners with a structured review process for the risk factor of a\ndominant official. When examiners assess the risk profile and control environment of a bank,\nwith respect to institutions that are controlled by a dominant official, we suggest that at a\nminimum, examiners should consider and assess whether:\n\n     \xe2\x80\xa2   An appropriate segregation of duties and responsibilities is achieved or alternative actions\n         are taken to mitigate the level of control exercised by the one individual.\n\n     \xe2\x80\xa2   Director involvement in the oversight of policies and objectives of the bank is at an\n         appropriate level.\n\n     \xe2\x80\xa2   A diverse board membership provides the bank with an assortment of knowledge and\n         expertise, including, but not limited to, banking, accounting, and the major lending areas\n         of the bank\xe2\x80\x99s target markets.\n\n     \xe2\x80\xa2   There are a sufficient number of outside and independent directors.\n\n     \xe2\x80\xa2   Committees of major risk areas exert a proper level of function, responsibility, and\n         influence, and the value of the committees is exhibited in the decision-making process.\n\n     \xe2\x80\xa2   A proper level of independence has been achieved for board committees of major risk\n         areas, including, but not limited to, audit committees.\n\n     \xe2\x80\xa2   An adequate audit committee12 has been established with only, or at least a majority of,\n         outside directors.\n\n     \xe2\x80\xa2   A need exists for the performance of annual financial audits by an independent certified\n         public accounting firm.\n\n     \xe2\x80\xa2   A qualified, experienced, and independent internal auditor is in place at the bank.\n\n     \xe2\x80\xa2   A proper segregation of the internal audit function is achieved from operational activities.\n\n\n12\n  The Interagency Policy Statement External Auditing Programs of Banks and Savings Associations defines an\naudit committee as \xe2\x80\x9cA committee of the board of directors, whose membership should, to the extent possible, be\nknowledgeable about accounting and auditing. The committee should be responsible for reviewing and approving\nthe institution\xe2\x80\x99s internal and external auditing programs or recommending adoption of these programs to the full\nboard.\xe2\x80\x9d\n                                                        6\n\x0c     \xe2\x80\xa2   An appropriate rationale was established regarding changing a bank\xe2\x80\x99s external auditors,\n         independent of oral discussions with bank management, including, but not limited to, a\n         review of the audit committee minutes or a review of auditor notifications.\n\n     \xe2\x80\xa2   An adequate written code of conduct and ethics and conflicts of interest policies has been\n         established.\n\n     \xe2\x80\xa2   A need exists for the bank\xe2\x80\x99s BOD to perform and report on an annual conflicts of interest\n         and ethics review.13\n\n     \xe2\x80\xa2   A need exists for a bank to engage outside consultants to conduct an external loan review.\n\n     \xe2\x80\xa2   A proper segregation of the internal loan review process is established.\n\nFor the six banks reviewed, we evaluated DSC\xe2\x80\x99s assessment and application of each of these\nareas as a potential control that could have served to mitigate the risk posed by a dominant\nofficial. In general, we concluded that examiners should have placed greater emphasis on\nstrengthening a bank\xe2\x80\x99s corporate governance structure. More specifically:\n\n     \xe2\x80\xa2   the examiners\xe2\x80\x99 analyses and recommendations did not adequately address the influence\n         of the dominant official;\n     \xe2\x80\xa2   recommendations, including provisions within supervisory actions, were not made on a\n         timely basis; and\n     \xe2\x80\xa2   additional measures could have been taken earlier by DSC to help mitigate the risks\n         posed by a dominant official.\n\nA detailed discussion of our results is provided in Appendix II.\n\nFDIC Initiatives and DSC Policies and Procedures on Corporate Governance\n\nThe FDIC has initiated various measures designed to assess and improve controls that mitigate\nthe risk posed by weaknesses in corporate governance. Such measures include reviewing the\nbank\xe2\x80\x99s BOD activities, ethics policies and practices, and auditor independence requirements.\nFurther, the FDIC reviews the financial disclosure and reporting obligations of publicly traded\nstate nonmember financial institutions. Other corporate governance initiatives include issuing\nFinancial Institution Letters,14 allowing bank directors to participate in regular meetings between\n\n\n\n\n13\n   This control area is not addressed in DSC\xe2\x80\x99s policies and procedures. DSC\xe2\x80\x99s policies and procedures discuss the\nneed for bank policies, the disclosure of potential conflicts of interests, and the review and approval of applicable\ntransactions. However, DSC\xe2\x80\x99s guidance does not address the establishment of an annual conflicts of interest and\nethics review program at the bank.\n14\n   The FDIC issues Financial Institution Letters (FILs) to FDIC-supervised institutions to announce, for example,\nnew regulations and policies, new FDIC publications, and a variety of other matters of principal interest to those\nresponsible for operating a bank or savings association.\n                                                           7\n\x0cexaminers and bank officers, maintaining a \xe2\x80\x9cDirectors\xe2\x80\x99 Corner\xe2\x80\x9d on the FDIC\xe2\x80\x99s public Web site,\nand expanding the Corporation\xe2\x80\x99s \xe2\x80\x9cDirectors\xe2\x80\x99 College\xe2\x80\x9d15 program.\n\nAdditionally, as stated earlier, DSC has policies and procedures in place with respect to\nexamining corporate governance, although in some instances, governing regulations that\nstipulate formal controls are primarily applicable to larger banks with total assets equal to or over\n$500 million. However, when risks in smaller institutions are increased by the presence of a\ndominant chairman, president, or majority shareholder at either the bank or holding company16\nlevel, corporate governance requirements applicable to larger institutions may be necessary.\nDSC senior management noted that most of the FDIC\xe2\x80\x99s supervised banks are small institutions\nand that about 52 percent of FDIC-supervised banks have $100 million or less in total assets.\nSenior management stated that corporate governance and the issues brought about by the\npresence of a dominant official present a challenge, to some degree, for these small banks. In\nparticular, any policy and procedural change must be considered in correlation with concerns\nabout the regulatory burden that may be imposed and about the \xe2\x80\x9ccost vs. benefit\xe2\x80\x9d relationship\nthat may exist.17\n\nCONCLUSIONS AND RECOMMENDATIONS\n\nThe FDIC has made significant strides in addressing corporate governance issues; however, they\nremain a key concern. The presence of a dominant official heightens the risk profile of an\ninstitution and could ultimately pose a greater risk to the insurance funds. An effective system of\ninternal control and an independent internal audit function form the foundation for safe and\nsound operations, regardless of an institution\xe2\x80\x99s size. If management controls are properly\ndesigned and effectively applied, examiners are encouraged to place greater reliance on the\ncontrol systems and limit or, in some cases, eliminate the scope of their review. Therefore,\nfailure to identify and appropriately assess a weak control environment, or a control environment\nthat can be easily circumvented or manipulated by one individual, increases the risk that errors,\nomissions, and fraud may go undetected and uncorrected. Furthermore, high-risk and\nimproperly managed activities may also remain undetected and not assessed by examiners on a\ntimely basis. Accordingly, when a weakness is identified in a bank\xe2\x80\x99s control environment,\nexaminers are expected to perform additional testing or review procedures. Due to the\ncomplexity of corporate governance oversight and the increased level of inherent risk at financial\ninstitutions dominated by one official, a comprehensive set of instructions is needed to facilitate\nthe supervisory review process regarding a dominant official.\n\n\n\n15\n   The FDIC, in cooperation with the various state banking departments, provides training to bankers through the\n\xe2\x80\x9cDirectors\' College\xe2\x80\x9d program. The FDIC\xe2\x80\x99s goals are to improve corporate governance and educate bank directors on\nthe latest changes in the regulatory environment.\n16\n   A holding company is a corporation that exercises control over another company, by owning enough voting shares\nof outstanding common stock, or that controls several related companies.\n17\n   In this regard, the FDIC has taken action in implementing the Economic Growth and Regulatory Paperwork\nReduction Act, Public Law 104-208, Section 2222, which requires the Federal Financial Institutions Examination\nCouncil and each of its member agencies to review their regulations at least once every 10 years, in an effort to\neliminate any regulatory requirements that are outdated, unnecessary or unduly burdensome.\n                                                       8\n\x0cWe recommend that the Director, DSC:\n\n     (1) Require that the pre-examination review process consider and identify the presence of a\n         dominant official as a potential targeted/high-risk area and that examination steps be\n         planned to evaluate the level of risk and the quality of mitigating controls at the bank.\n\n     (2) Consolidate and/or expand existing guidance for the assessment of and response to banks\n         that are controlled by a dominant official.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn August 26, 2004, the DSC Director provided a written response to the draft report. The\nresponse is presented in its entirety as Appendix V to this report. DSC concurred with\nrecommendation 1. Regarding recommendation 2, DSC concurred with the intent of the\nrecommendation and offered an alternative action that was responsive. Accordingly, the\nrecommendations are resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective actions have been completed and are effective.\nSee Appendix VI for a summary of management\xe2\x80\x99s response to, and the status of, the\nrecommendations. A summary of the Director\xe2\x80\x99s comments follows.\n\nRecommendation 1: DSC management stated its existing guidance addresses this\nrecommendation. However, to ensure that the presence of a dominant official is considered and\nincluded in the planning process, DSC stated that it will recommend to the Interagency ED\nModule Maintenance Committee18 that a specific requirement to \xe2\x80\x9cconsider the impact of the\nexistence of a dominant official\xe2\x80\x9d be added to the Risk Scoping Module. DSC\xe2\x80\x99s planned action is\nresponsive to our recommendations.\n\nRecommendation 2: DSC management partially concurred with recommendation 2 and offered\nan acceptable alternative action. The section in the DSC Manual that addresses the risks\nassociated with an institution controlled by a dominant individual will be expanded. The revised\nManual will also address issues identified in this report. DSC\xe2\x80\x99s planned action is responsive to\nour recommendations.\n\nThe Director also commented on two aspects of the report. First, DSC questioned the size of our\nsample, asserting that it was too small to support the report\xe2\x80\x99s conclusions. DSC further noted\nthat the sample did not include any institutions with composite ratings of \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d that were\ncontrolled by a dominant official. Secondly, DSC indicated that a \xe2\x80\x9cseparate set of guidance\xe2\x80\x9d to\nassess dominant officials is not needed because it would be redundant of steps already performed\nand that the risk factors we recommended be addressed in the guidance are the same as those\nassessed at all institutions.\n\nRegarding our sample size, we selected 100 percent of the \xe2\x80\x9c5\xe2\x80\x9d rated banks, located in two DSC\nregions, representing a total of six banks. As of March 1, 2004, eight FDIC-supervised banks in\n\n18\n  Members of the Interagency ED Module Maintenance Committee are from the FDIC, Board of Governors of the\nFederal Reserve, and state banking departments.\n                                                    9\n\x0cthe country were \xe2\x80\x9c5\xe2\x80\x9d rated. Our sample did not include any of the numerous institutions with\ncomposite ratings of \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d that are currently controlled by a dominant individual. However,\nfor each of the six banks sampled, we reviewed the ROEs issued for a 10-year period beginning\nwhen the institutions had been rated a \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d and had been controlled by a dominant official.\nOur analysis included a detailed review of a total of 60 FDIC and state ROEs. Therefore, our\nsample provides a sufficient basis on which to formulate and support our conclusions.\n\nWe recognize that banks that are dominated by one person may not necessarily experience\nproblems. Compensating controls such as strong risk management systems and adequate lending\npolicies and procedures can mitigate the adverse impact of a dominant individual. Nevertheless,\nour report entitled, Observations from the FDIC OIG Material Loss Reviews Conducted 1993\nthrough 2003 (Report No. 04-004, dated January 22, 2004), states that the major causes of failure\nwere inadequate corporate governance, poor risk management, and lack of risk diversification.\nOftentimes, the underlying cause was a dominant person taking risks that were not mitigated by\nsystems to adequately identify, measure, monitor, and most importantly, control the risks. Our\nreview found examination weaknesses concerning the adequacy of analysis performed and\ntimeliness of recommendations and actions taken to control both the inherent risks of a dominant\nperson and those created by an institution whose mitigating controls were lacking. The\nexamination weaknesses identified by our review may be attributable, in large part, to the\nabsence of a comprehensive set of instructions that provides examiners with a structured review\nprocess that guides and facilitates the review of the banks that are controlled by a dominant\nofficial. As a result, further guidance should be provided to examiners that facilitates the\nexamination process for this high-risk factor.\n\nLastly, the report does not suggest that a separate set of guidance be developed for assessing\nbanks controlled by a dominant person. In fact, page 4 of the report states, \xe2\x80\x9cWithin the\nframework of the existing examination procedures, the risks of a dominant official should be\nconsidered as part of the pre-examination planning and scoping process to the extent that this\nrisk is observed at the senior corporate level.\xe2\x80\x9d The report recognizes that existing guidance\naddresses the impact of dominant individuals, but this guidance is not consolidated and,\ntherefore, some aspects could be overlooked by examiners. In fact, DSC has established\nconsolidated guidance such as that which we are recommending for commercial real estate and\nsubprime lending programs because of their perceived risk and significance to the safety and\nsoundness of institutions. Therefore, we continue to conclude that regulatory oversight of banks\nthat are dominated by one individual could be strengthened by ensuring that examiners (1)\nconsider the presence of a dominant individual as a risk factor during the pre-examination review\nprocess and (2) evaluate specific aspects of corporate governance when a bank has a dominant\nofficial.\n\n\n\n\n                                               10\n\x0c                                                                                                APPENDIX I\n\n                          OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine whether the process used by the FDIC to assess bank\nmanagement and controls during safety and soundness examinations of FDIC-supervised\nfinancial institutions is adequate. To accomplish our objective, we reviewed DSC policies and\nprocedures for evaluating bank management. We also reviewed a sample of problem banks\nlocated in the DSC Chicago and Dallas Regional Offices.\n\nAs of February 29, 2004, there were eight state nonmember banks with a CAMELS composite\nrating of \xe2\x80\x9c5.\xe2\x80\x9d Five of these institutions were supervised by the DSC Chicago Regional Office,\ntwo were supervised by the DSC Dallas Regional Office, and one institution was supervised by\nthe DSC San Francisco Regional Office. We selected six banks from the DSC Chicago and\nDallas Regions to review bank management\xe2\x80\x99s role and DSC\xe2\x80\x99s assessment of bank management.\nDetails on our analysis of the six banks are in Appendix IV.\n\nWe performed our audit from October 2003 through May 2004 in accordance with generally\naccepted government auditing standards. To accomplish the audit objectives, we:\n\n     \xe2\x80\xa2   reviewed DSC policies and procedures pertaining to the evaluation of bank management;\n     \xe2\x80\xa2   reviewed Federal Reserve Board, Office of the Comptroller of the Currency, and Office\n         of Thrift Supervision policies and procedures pertaining to the evaluation of bank\n         management;\n     \xe2\x80\xa2   reviewed and analyzed reports of examination prepared by the FDIC and state banking\n         agencies for the banks in our sample during the last 10 years;\n     \xe2\x80\xa2   reviewed and analyzed related Uniform Bank Performance Reports (UBPR)19 and\n         Summary Analysis of Examination Reports (SAER);20 and\n     \xe2\x80\xa2   interviewed DSC policymakers in Washington, D.C.\n\nWe requested that DSC provide all FDIC and state ROEs for the six sampled banks for the\nperiod January 1, 1993 through December 31, 2003. However, DSC was unable to provide us\nwith 1 FDIC and 13 state ROEs applicable to 5 of the 6 banks that we sampled.\n\nGovernment Performance and Results Act, Reliance on Computer-Processed Data, Fraud\nand Illegal Acts, Management Controls, and Compliance with Laws and Regulations\n\nThe nature of the audit objective did not require reviewing related performance measures under\nthe Government Performance and Results Act. We did not determine the reliability of computer-\nprocessed data because such data was not significant to accomplishing our audit objective. Our\n\n\n19\n   The Uniform Bank Performance Report (UBPR) is an analytical tool created for bank supervisory, examination,\nand bank management purposes. The UBPR shows the impact of management decisions and economic conditions\non a bank\xe2\x80\x99s performance and balance-sheet composition.\n20\n   The purpose of the SAER Reports is to collect data from the examination for entry onto the FDIC\'s data base.\n                                                       11\n\x0c                                                                                   APPENDIX I\n\naudit program included steps for providing reasonable assurance of detecting fraud or illegal\nacts.\n\nAdditionally, we gained an understanding of relevant control activities by examining\nDSC-applicable policies and procedures as presented in the FDIC\xe2\x80\x99s Rules and Regulations,\nFDIC\xe2\x80\x99s Statements of Policy, DSC Manual, ED Modules, and Regional Directors Memoranda.\n\nRegarding compliance with laws and regulations, we gained an understanding of aspects of the\nFDI Act and the requirements of Part 363 of the FDIC\xe2\x80\x99s Rules and Regulations and evaluated the\nFDIC\xe2\x80\x99s establishment and implementation of procedures for examining the sampled institutions\xe2\x80\x99\nregulatory compliance.\n\n\n\n\n                                               12\n\x0c                                                                                                  APPENDIX II\n\n     DSC\xe2\x80\x99S ASSESSMENT OF MANAGEMENT CONTROL AREAS IN SELECTED\n                  BANKS AND RELATED FDIC GUIDANCE\n\nThe finding section of this report identifies specific areas of consideration that examiners should\nuse in assessing a bank\xe2\x80\x99s control environment and in recommending improvements to a bank\xe2\x80\x99s\ncontrol structure when a dominant official is present. A more detailed discussion follows of the\n(1) weaknesses we identified in the various control areas for the six banks we reviewed with a\ncomposite \xe2\x80\x9c5\xe2\x80\x9d rating, (2) benefits of reviewing these issues in the context of financial institutions\ncontrolled by a dominant official, and (3) existing related policies and procedures.\n\nEach of the control areas discussed below is addressed, to some degree, in various DSC policies\nand procedures. However, the guidance does not address these issues in the context of banks that\nare controlled by a dominant official. Nor does the guidance provide examiners with instruction\non how to (1) review these areas in the overall assessment of management, (2) identify and\nassess other possible mitigating controls, and (3) develop and recommend alternative actions to\nmitigate the risk from a dominant official.\n\nSegregation of Duties\n\nOverall, examiners did not identify the dominant official\xe2\x80\x99s level of control or extent of\nresponsibility as a concern and, therefore, did not recommend specific corrective action for this\ncontrol structure.\n\nFor all six banks reviewed, we noted that an appropriate segregation of duties21 and\nresponsibilities had not been achieved and that a dominant official controlled multiple bank\nfunctions. Examiners identified the presence of a dominant official but did not identify the lack\nof a proper segregation of duties or recommend that key duties and responsibilities be divided\namong different people. The lack of an appropriate segregation of duties could result in a\nsignificant internal control deficiency.\n\nIn one case, the dominant official was recognized as the bank\xe2\x80\x99s chairman of the board, president,\nprimary operations officer, primary loan officer, and primary loan review officer. This\nindividual was also a member of the bank\xe2\x80\x99s loan, compliance, and audit committees. Examiners\nroutinely recognized that the individual had a dominant influence on the bank; however, limited\naction was taken to mitigate his control. In 1994 and 2002, the official was found to be involved\nin fraudulent activities. Also of note, in 1999, questionable practices were identified that appear\nto indicate that other fraudulent activity was evident.\n\n21\n   The Government Accountability Office (formerly titled the General Accounting Office): Standards for Internal\nControl in the Federal Government, issued November 1999, provides a standard for the segregation of duties: \xe2\x80\x9cKey\nduties and responsibilities needed to be divided or segregated among different people to reduce the risk or error or\nfraud. This should include separating the responsibilities for authorizing transactions, processing and recording\nthem, reviewing the transactions, and handling any related assets. No one individual should control all key aspects\nof a transaction or event.\xe2\x80\x9d\n\n                                                        13\n\x0c                                                                                    APPENDIX II\n\nEnsuring an appropriate segregation of duties and responsibilities among different individuals\nhelps to reduce the risk of error or fraud.\n\nRelated FDIC Guidance\n\nThe DSC Manual describes a segregation of duties in the context of an accounting control in a\ntransaction, but does not emphasize the need to ensure a segregation of duties over key areas of\nresponsibilities in authorizing transactions, processing and recording them, reviewing the\ntransactions, and handling any related assets. The DSC Manual describes the basic elements of\nan internal control system. Within this guidance, the DSC Manual states that a bank\xe2\x80\x99s\norganization plan must segregate the operating and recording functions and that an internal\ncontrol system should at a minimum provide for a segregation of duties. The DSC Manual also\nstates that \xe2\x80\x9cIdeally, the segregation of duties should be arranged so that no one person dominates\nany transaction from inception to termination.\xe2\x80\x9d\n\nThe Management ED Module instructs examiners to determine whether the organizational\nstructure of a bank is appropriate given the size and complexity of the bank and the\norganization\xe2\x80\x99s strategic plan. The procedures also require examiners to determine whether\nmanagement maintains an effective system of controls and safeguards for activities that expose\nthe bank to risk. In particular, examiners are instructed to consider the segregation of duties as\nan element of internal control.\n\nActive and Informed Board of Directors\xe2\x80\x99 Oversight\n\nExaminers did not always identify an inactive and/or uninformed BOD until the banks\xe2\x80\x99 financial\ncondition significantly deteriorated. In some cases, when earlier detection of these deficiencies\nwas noted, examiners were unable to sufficiently persuade bank management to improve the\ncontrol environment. Examiners provided limited discussions in the ROEs regarding the BOD\xe2\x80\x99s\nactive and informed oversight.\n\nA bank with a dominant official and an inactive and/or uninformed BOD creates a weak control\nenvironment in which the decision-making process is centralized in one individual. In most\ncases, the BOD\xe2\x80\x99s oversight was not criticized in the ROE until the bank was categorized as a\nproblem bank. In the ROEs, examiners occasionally detailed board members\xe2\x80\x99 professional\nbackgrounds but provided no assessments on the members\xe2\x80\x99 qualifications or on the overall level\nof knowledge, experience and expertise of the BOD directorship.\n\n   \xe2\x80\xa2   In one bank, from 1994 to 2000, examiners reported that the BOD appeared to be active\n       and well informed. The BOD was also described as effectively overseeing the operations\n       of the bank and policies and providing adequate operating guidelines. Furthermore, ROE\n       comments were complimentary of the dominant official. In 2001, examiners became\n       aware of a subprime lending operation that had been in place for 3 years. Also of note,\n       the bank did not have any loan policy guidelines nor prior experience in this speciality\n       financing. However, examiners reported that the management team (the CEO and the\n                                               14\n\x0c                                                                                     APPENDIX II\n\n       president) appeared to have the capabilities to implement the necessary improvements in\n       this area. In the September 2002 ROE, examiners recognized the performance of senior\n       management and the BOD as being \xe2\x80\x9cextremely weak, as reflected by the financial\n       condition of the institution.\xe2\x80\x9d In the September 2003 ROE, the management study,\n       required by a Cease and Desist Order (C&D Order), reported that the president did not\n       have the background, abilities, or interpersonal skills to operate as the president. The\n       report also stated that deficient BOD oversight allowed previous executive management\n       to engage in objectionable and hazardous credit policies and practices. The examiners\n       also reported that the BOD had failed to carry out its fiduciary duty to the bank, its\n       depositors, and its shareholders. The examiners stated that it was apparent that the BOD\n       turned over virtually unsupervised control of the bank to executive officers and overly\n       relied on prior management.\n\n   \xe2\x80\xa2   For another bank, as early as 1994, the examiners encouraged the bank\xe2\x80\x99s BOD to take a\n       more active role in the bank through involvement in day-to-day activities, committees,\n       and strategic planning. Examiners also observed that the CEO reportedly talked with the\n       BOD only periodically and forwarded loan approvals to them for approval by telephone.\n       The examiners concluded that because of this off-site approach by the BOD, it appeared\n       that most of the time, the CEO ran a \xe2\x80\x9cone man\xe2\x80\x9d operation. In 2003, the examiners\n       summarized that BOD supervision had been inadequate with too much authority vested\n       with the former CEO/president and other lending officers. In addition, BOD involvement\n       in the loan approval process had been limited, and the BOD failed to sufficiently\n       scrutinize lending practices. For at least 9 years, examiners were unable to sufficiently\n       persuade bank management to improve the control environment.\n\n   \xe2\x80\xa2   For a third bank, the examiners reported in 1999 that the BOD had failed to provide\n       adequate oversight of management\xe2\x80\x99s performance and effectively monitor the bank\xe2\x80\x99s\n       overall risk profile during monthly meetings. By 2003, the examiners stated that the\n       unacceptable practices and condition of this bank indicated inadequate supervision by the\n       BOD. In addition, the examiners stated that, \xe2\x80\x9cwhile one individual [President/Chairman\n       of the Board] is blamed for the loan quality, the BOD must accept the ultimate\n       responsibility for failing to provide adequate controls and procedures to protect the\n       bank.\xe2\x80\x9d The DSC Manual states that \xe2\x80\x9cSupervision by directors does not necessarily\n       indicate a BOD should be performing management tasks, but rather seeing that its\n       policies are being implemented and adhered to and its objectives achieved. It is the\n       failure to discharge these supervisory duties, which has led to bank failures \xe2\x80\xa6.\xe2\x80\x9d\n\nWith the presence of a dominant official controlling the bank, it becomes more critical to have\nactive and informed board oversight to help mitigate risks. Further efforts are needed by\nexaminers to identify inactive and uninformed BODs and to pursue corrective action on a more\ntimely basis before the financial condition of a bank significantly deteriorates. In particular, an\nactive and informed BOD should serve to mitigate the risk imposed by a dominant official\nthrough directors\xe2\x80\x99 involvement in the oversight and decision-making processes.\n\n                                                 15\n\x0c                                                                                                APPENDIX II\n\nRelated FDIC Guidance\n\nThe DSC Manual details the general powers and responsibilities of bank directors which include,\nbut are not limited to, regulating the manner in which all business of the bank is conducted. The\nDSC Manual also states that the BOD is the source of all authority and responsibility. In the\nbroadest sense, the board is responsible for the formulation of sound policies and objectives of\nthe bank, effective supervision of its affairs, and promotion of its welfare. In addition, the\ncontinuing health, viability, and vigor of the bank are dependent upon an interested, informed,\nand vigilant BOD.\n\nThe Management ED Module instructs examiners to review BOD and committee minutes since\nthe last examination as well as the most recent and year-end BOD packages to determine the\nextent and adequacy of BOD supervision considering, in part, director attendance, BOD\nindependence from executive management, and dominant control. Examiners are also directed\nto determine if the BOD minimizes operating management\xe2\x80\x99s ability to override policies and\nprocedures through effective monitoring and enforcement of established guidelines.\n\nOutside/Independent Directors\n\nExaminers did not always identify the need for and assess the role of outside/independent board\ndirectors. For the majority of banks reviewed, examiners provided limited discussions in the\nROEs on the presence of outside and independent directors.\n\nThe failure to have outside/independent board representation creates a weak control environment\nin which individuals are potentially providing oversight of their own actions. Furthermore, the\npresence of an outside/independent director enhances the composite judgment of the group by\nproviding more diverse perspectives. Specifically, within the six banks reviewed, we observed\nthe following:\n\n     \xe2\x80\xa2   Dominant officials served on board committees of major risk areas, including the audit\n         committees.\n     \xe2\x80\xa2   No board committees or audit committees had been established.\n     \xe2\x80\xa2   The entire BOD served on all committees.\n     \xe2\x80\xa2   Limited, if any, assessments or discussions were performed or held, respectively,\n         regarding the qualifications of the directors and the functions of these individuals as\n         outside and independent directors.\n     \xe2\x80\xa2   Examiners inconsistently reported information on the existence and/or participation of\n         board members on various board committees in the confidential-supervisory section22 of\n         the ROEs.\n\n\n22\n  Comments included in the confidential-supervisory section of the ROE should be of interest primarily to\nsupervisory agencies and should not be duplicative of information contained in the open section of the ROE. This\ninformation is not shared with the bank\xe2\x80\x99s management.\n                                                       16\n\x0c                                                                                                 APPENDIX II\n\nFor five of the six banks reviewed, the dominant official was a member of the bank\xe2\x80\x99s audit\ncommittee and/or participated in other committees of major risk areas. For one bank, the\nexaminers noted in the ROE that prior to 2000, the bank did not have any board committees. In\n2000, the bank stipulated to a Memorandum of Understanding (MOU), which required the\nestablishment of board committees. At that time, the establishment of an audit committee was\nnot recommended; however, the FDIC issued a follow-up letter to the bank a short time later,\nrecommending the establishment of an audit committee. The bank established an audit\ncommittee, but in 2003, the examiners observed that three out of the four board directors did not\nrepresent the interests of the bank, but rather the interests of the bank holding company by\nserving as a manager, consultant, and accountant for other businesses owned by the primary\nshareholder/director. Additionally, the examiners stated that \xe2\x80\x9cThe lack of an independent board\nmay have contributed to the problems present in this bank.\xe2\x80\x9d\n\nFor three banks, based on information provided in the ROEs, we concluded that the entire BOD\nacted as or served on all board committees without regard to achieving a majority of outside\ndirectors to inside directors. In some cases, examiners recommended adding outside directors.\nDuring a 2001 examination of one bank, the examiners reported that the audit committee\nincluded only one outside director. Examiners commented that it is considered a prudent\npractice for a majority of the committee to consist of outside directors and recommended that\nadditional outside directors be added to the committee.\n\nThe 1993 and 1994 ROEs for another bank referenced an MOU, issued in 1990, and a Notice of\nDetermination (NOD),23 issued in 1994. Both the MOU and NOD required the bank to review\nthe composition of the BOD with the objective of increasing the number of independent outside\ndirectors. None of the ROEs discussed which directors qualified as outside or as independent\ndirectors (the 2001 ROE stated that four of the nine directors were not \xe2\x80\x9cinsiders\xe2\x80\x9d of the bank).\nHowever, the \xe2\x80\x9cnonmanagerial/nonemployee\xe2\x80\x9d directorship increased from two out of seven\ndirectors in 1993 to four out of nine directors in 1999. Nevertheless, two of the four directors\nappeared related to each other and owned over 19 percent of outstanding voting class shares of\nthe bank. Regulatory guidelines classify such directors as not independent. In addition, if the\ndirectors were also considered principal shareholders, then they would be considered inside\ndirectors. Another of the \xe2\x80\x9cnon-managerial/nonemployee\xe2\x80\x9d directors was also a former vice\npresident/employee who had retired. According to regulatory guidelines, an outside director\nwould not be considered independent of management if that individual had been an officer or\nemployee of the bank within the preceding year.\n\nIn two other banks we reviewed, it appeared that the directors had limited experience in banking\nand/or accounting and auditing based on the background descriptions of the BOD provided in the\nROEs.\n\n\n\n23\n  An MOU and a NOD are informal corrective administrative actions related to issues considered to be of\nsupervisory concern but which have not deteriorated to the point where they warrant formal administrative action.\n                                                        17\n\x0c                                                                                                        APPENDIX II\n\nTo help mitigate the risk to an institution that is dominated by an individual, it would be prudent\nto require, at a minimum, that this individual does not participate on the board committees of\nmajor risk areas, and where feasible, the board committees should be composed of a majority of\noutside directors.\n\nRelated FDIC Guidance\n\nThe DSC Manual states that \xe2\x80\x9ceach director should bring to the position particular skills and\nexperience which will contribute to the composite judgment of the group.\xe2\x80\x9d In reference to audit\ncommittees, the DSC Manual states:\n\n         \xe2\x80\xa6 all banks are strongly encouraged to establish an audit committee consisting, if\n         possible, entirely of outside directors and, in appropriate circumstances, should be\n         criticized for not doing so. Although a committee of outside directors may not appear\n         possible in a small closely-held bank where there are, in effect, no outside directors on\n         the board, all banks should be encouraged to add outside directors to their board and to\n         appoint them to the audit committee.\n\nPart 363 of the FDIC\xe2\x80\x99s Rules and Regulations specifically requires, in part, that banks with\n$500 million or more in total assets must establish an independent audit committee consisting\nentirely of outside directors.24 Also, Part 363.5 requires that the audit committees of banks with\n$3 billion or more in total assets shall include members with banking or related financial\nmanagement expertise, have access to its own outside counsel, and not include any large\ncustomers of the institution.\n\nAdditionally, the Management ED Module instructs examiners to determine the extent and\nadequacy of board supervision by considering, in part, the BOD\xe2\x80\x99s independence from executive\nmanagement and the dominant control by a board member, shareholder, or executive\nmanagement. The Management ED Module also instructs examiners to determine whether an\naudit committee has been established and to evaluate the composition of the committee by\nconsidering the number of members, number of outside directors, independence from\nmanagement, and the presence of \xe2\x80\x9cfinancial experts\xe2\x80\x9d on the committee.\n\n\n\n\n24\n   Part 363 of the FDIC\xe2\x80\x99s Rules and Regulations, codified to Title 12 of the Code of Federal Regulations, states, in\npart, that in determining whether an outside director is independent of management, the board should consider all\nrelevant information. This would include considering whether the director is or has been an officer or employee of\nthe institution or its affiliates; serves or has served as a consultant, advisor, promoter, underwriter, legal counsel, or\ntrustee of or for the institution or its affiliates; is a relative of an officer or other employee of the institution or its\naffiliates; holds or controls, or has held or controlled, a direct or indirect financial interest in the institution or its\naffiliates; and has outstanding extensions of credit from the institution or its affiliates. An outside director should\nnot be considered independent of management if such director is, or has been within the preceding year, an officer or\nemployee of the institution or any affiliate, or owns or controls, or has owned or controlled within the preceding\nyear, assets representing 10 percent of more of any outstanding class of voting securities of the institution.\n                                                            18\n\x0c                                                                                   APPENDIX II\n\nThe Interagency Policy Statement on External Auditing Programs of Banks and Savings\nAssociations encourages all banks to establish an audit committee consisting entirely of outside\ndirectors or, at a minimum, organize the audit committee so that outside directors constitute a\nmajority of the committee.\n\nExternal and Internal Audits\n\nExaminers did not always provide a discussion or analysis of the (1) need for an annual financial\naudit by an independent public accountant; (2) adequacy of internal audit personnel and related\nfunctions; or (3) rationale for changes in external auditors, despite weaknesses being present.\n\nAn annual financial audit and/or a qualified and independent internal auditor can reduce the risk\nposed by a dominant official by providing a layer of independent oversight and verification of\nthe bank\xe2\x80\x99s financial position and operations. Additionally, the investigation into the decision-\nmaking process for significant changes to a bank\xe2\x80\x99s audit program can serve as a validation of the\nbank\xe2\x80\x99s control structure and of its operation. In turn, appropriately functioning controls may\nmitigate the risk posed by a dominant official by ensuring that the various duties and\nresponsibilities are appropriately delegated and performed without undue influence or\ncircumvention by the dominant official.\n\nWhen a bank is controlled by a dominant official, examiners should consider requiring that an\nannual financial audit be conducted which would enhance the level of control and provide\ngreater assurance that financial statements are properly presented. Examiners should also\nconsider the qualification, experience, and independence of the bank\xe2\x80\x99s internal auditors.\nFurthermore, the internal audit function should be segregated from operational activities. In\nparticular, an effective system of internal control and an independent internal audit function form\nthe foundation for safe and sound operations, regardless of an institution\xe2\x80\x99s size, and each bank\nshould have an internal audit function that is appropriate to its size and the nature and scope of\nits activities.\n\nAdditionally, any change in a bank\xe2\x80\x99s external auditor should be investigated and the reasons for\nthe change reported. In particular, for banks that are dominated by one individual, the rationale\nfor the change should be assessed to ensure that the basis for the change is not driven by the\ndesire to obtain a favorable audit opinion or outcome. Furthermore, the bank\xe2\x80\x99s audit committee\nshould be assessed to determine whether committee members are materially participating in the\ndecision-making process and are serving as an independent control.\n\n\n\n\n                                                19\n\x0c                                                                                                       APPENDIX II\n\nExternal Audits. Four of the six banks reviewed had annual directors\xe2\x80\x99 examinations25\nperformed, and pursuit of annual financial audits was lacking. One of the four banks changed to\nan annual financial audit in 1995. Due to the lack of comments in the ROEs explaining why the\nbank expanded the scope of the audit, we determined that the change in scope appeared to have\nbeen initiated by bank management and was not changed in response to a regulatory\nrecommendation.\n\nAnother bank was subject to a Section 39 Safety and Soundness Compliance Plan26 in October\n1999 and then to a C&D Order in November 2000. The Section 39 Safety and Soundness\nCompliance Plan contained a provision for certain agreed-upon procedures to be performed at\nthe next directors\xe2\x80\x99 examination, and the C&D Order contained a provision requiring that one\nfinancial audit be conducted. However, the bank failed to comply with the Section 39 Safety and\nSoundness Compliance Plan, and a qualified opinion was rendered by the certified public\naccounting firm on the financial audit. Following the financial audit, the bank reverted to having\nonly annual directors\xe2\x80\x99 examination performed. The ROEs for the remaining two banks had no\ncomments or recommendations that encouraged or required the banks to obtain annual financial\naudits. Furthermore, there were limited, if any, discussions in the ROEs on the adequacy of the\nscope of the directors\xe2\x80\x99 examination. Of particular interest, for one of the two banks that had only\nannual directors\xe2\x80\x99 examinations performed, an examiner made a recommendation in 1994 that a\nprovision for an annual financial audit be included in a NOD. However, this provision was not\nincluded in the final NOD. Subsequent to the NOD, a state commitment letter27 was issued in\n2000 and a C&D Order was issued in 2002. Despite the identification of apparent fraud\ncommitted by the president in 1994 and then again in 2002, the examiners did not provide either\nan ROE statement encouraging an annual financial audit or an informal/formal action with a\nprovision requiring an annual financial audit.\n\nRelated FDIC Guidance\n\nThe DSC Manual emphasizes that \xe2\x80\x9cEach bank is strongly encouraged to adopt an external\nauditing program that includes an annual audit of its financial statements by an independent\n\n\n\n25\n   FDIC\xe2\x80\x99s Statement of Policy, Interagency Policy Statement on External Auditing Programs of Banks and Savings\nAssociations, states that Agreed-Upon Procedures/State-Required Examinations (directors\xe2\x80\x99 examinations) are\nspecified procedures required by some state statutes or regulations and are performed annually by an institution\xe2\x80\x99s\ndirectors or independent persons. The policy statement defines specified procedures as \xe2\x80\x9cProcedures agreed-upon by\nthe institution and the auditor to test its activities in certain areas. The auditor reports findings and test results, but\ndoes not express an opinion on controls or balances.\xe2\x80\x9d\n26\n   If a regulatory agency determines that an institution fails to meet any standard established under subsection (a) or\n(b) of section 39 of the Federal Deposit Insurance Act (12 U.S.C. 1831p-1), the agency may require the institution to\nsubmit to the agency an acceptable plan to achieve compliance with the standard. In the event that an institution\nfails to submit an acceptable plan within the time allowed by the agency or fails in any material respect to\nimplement an accepted plan, the agency must, by order, require the institution to correct the deficiency.\n27\n   Informal administrative actions, such as Board Resolutions, Commitment Letters or Memorandums of\nUnderstanding, are normally handled through written correspondence with a bank\'s BOD.\n                                                            20\n\x0c                                                                                                    APPENDIX II\n\npublic accountant.\xe2\x80\x9d28 The DSC Manual also states that the bank\xe2\x80\x99s board should select the scope\nof the planned external auditing program. However, if in the judgment of the examiner, unique\nrisks of the bank need additional external auditing coverage, the examiner should make specific\nrecommendations for addressing these areas for consideration by the audit committee and/or\nBOD. In particular, the DSC Manual notes that the examiner should determine whether the\nscope selected by the bank (1) adequately covers the high-risk areas of that particular bank and\n(2) is performed by a qualified auditor who is independent of the bank.\n\nThe Management ED Module instructs examiners to review the bank\xe2\x80\x99s external audit program.\nExaminers are directed to determine whether the audit program is in compliance with FDIC Part\n363, or the Statement of Policy Regarding Independent External Auditing Programs of State\nNonmember Banks. In banks that have chosen not to obtain an external audit, examiners are\ninstructed to review the board minutes at each examination in order to assess the BOD\xe2\x80\x99s reasons\nfor not having an annual financial audit and the BOD\xe2\x80\x99s determination that the audit program\nprovides sufficient coverage of areas of potential concern or unique risk. If, in the judgment of\nthe examiner, additional external audit coverage is warranted, specific suggestions for addressing\nthese areas should be recommended. However, the lack of an external audit will not\nautomatically result in a negative examiner comment.\n\nInternal Audits. Several of the banks reviewed had designated internal auditors and/or\noutsourcing arrangements; however, the ROEs contained no assessment of the auditors\xe2\x80\x99 and/or\nentities\xe2\x80\x99 qualifications, experience, or independence as internal auditors.\n\n     \xe2\x80\xa2   At one institution, the designated internal auditor was the president\xe2\x80\x99s son and the bank\xe2\x80\x99s\n         assistant cashier, who was also a recent college graduate with 30 credits in accounting.\n         At the same institution, the internal audit function was later outsourced to a \xe2\x80\x9cBanking\n         Specialist.\xe2\x80\x9d However, the ROEs contained no information or assessment concerning the\n         individual\xe2\x80\x99s qualifications or experience as an internal auditor. Furthermore, the\n         individual reported to the full BOD instead of an independent audit committee, and the\n         full BOD was primarily composed of inside directors and was dominated by the\n         president.\n\n     \xe2\x80\xa2   At a second institution, the bank\xe2\x80\x99s audit program was administered by an internal auditor,\n         but no summary or assessment was provided in the ROEs on this individual\xe2\x80\x99s\n         qualifications, experience, or independence. At the same institution, the audit program\n         was later administered by the bank\xe2\x80\x99s external audit firm. Although this firm eventually\n         stopped performing external auditing services in accordance with new regulatory\n\n28\n  The FDIC\xe2\x80\x99s Statement of Policy, Interagency Policy Statement on External Auditing Programs of Banks and\nSavings Associations, defines a Financial Statement Audit by an Independent Public Accountant as \xe2\x80\x9cAn examination\nof the financial statements, accounting records, and other supporting evidence of an institution performed by an\nindependent certified or licensed public accountant in accordance with generally accepted auditing standards\n(GAAS) and of sufficient scope to enable the independent public accountant to express an opinion on the\ninstitution\'s financial statements as to their presentation in accordance with generally accepted accounting principles\n(GAAP).\xe2\x80\x9d\n                                                          21\n\x0c                                                                                    APPENDIX II\n\n        guidelines, the firm was also noted as providing/performing compliance reviews, loan\n        review services, and financial consulting functions for the bank \xe2\x80\x93 \xe2\x80\x9csince the departure of\n        the Chief Financial Officer.\xe2\x80\x9d\n\n   \xe2\x80\xa2   At a third institution, two individuals had been designated as internal auditors. The first\n       individual was also the bank\xe2\x80\x99s cashier and compliance officer. Although no summary or\n       assessment was provided in the ROE on this individual\xe2\x80\x99s qualifications, experience, or\n       independence; the individual was later found to be intentionally reporting false\n       information to the bank\xe2\x80\x99s BOD. The bank\xe2\x80\x99s second internal auditor was initially hired to\n       provide only audit services. Examiner comments in the ROE indicated that this\n       individual lacked experience; however, the ROE had no assessment on the individual\xe2\x80\x99s\n       qualifications, experience, or independence as an internal auditor. In addition, limited\n       action was taken or recommended to correct the noted weaknesses. Furthermore, in\n       subsequent periods, this individual took on greater responsibilities, including, but not\n       limited to, marketing, asset/liability management, investments, cash and funds\n       management, and personnel administration. The internal auditor also held the following\n       titles: vice president, senior/chief operations officer and cashier, bank secrecy act officer,\n       and compliance officer. The internal auditor was also listed as a member of the executive\n       committee, asset/liability committee, and the loan committee. Examiners also noted in\n       the ROE that, in response to an outstanding C&D Order, the internal auditor \xe2\x80\x9coversees\n       the daily affairs of the bank with the assistance of chairman \xe2\x80\xa6 and director \xe2\x80\xa6 however,\n       these individuals lack bank management experience.\xe2\x80\x9d\n\nRelated FDIC Guidance\n\nThe DSC Manual states the following:\n\n       Perhaps the most effective internal control procedure available to a bank\xe2\x80\x99s BOD is the\n       appointment of a professionally competent internal auditor responsible for the\n       development and administration of an internal audit program \xe2\x80\xa6. Auditors must have\n       complete independence in carrying out the audit program and should report their findings\n       directly to the bank\xe2\x80\x99s BOD or a designated directors\xe2\x80\x99 audit committee. It is imperative\n       that internal auditors have sufficient authority and the degree of audit independence\n       essential to exercise their responsibilities, and that they be divorced from operations.\n\nThe FDIC\xe2\x80\x99s Statement of Policy, Interagency Policy Statement on the Internal Audit Function\nand Its Outsourcing, states that an effective system of internal control and an independent\ninternal audit function form the foundation for safe and sound operations, regardless of an\ninstitution\xe2\x80\x99s size. A small institution without an internal auditor can ensure that it maintains an\nobjective internal audit function by implementing a comprehensive set of independent reviews of\nsignificant controls. The key characteristic of such reviews is that the person(s) directing and/or\nperforming the review of internal controls is not also responsible for managing or operating those\ncontrols.\n\n                                                22\n\x0c                                                                                   APPENDIX II\n\nThe Management ED Module provides examiner review guidelines for banks with a formal\ninternal audit department. These guidelines include, but are not limited to, examiners\ndetermining (1) that committee minutes document significant actions; (2) whether the internal\naudit function is sufficiently segregated from bank operations; and (3) that the size of the audit\nstaff is appropriate and that related academic backgrounds, experience, competency, and ongoing\ntraining initiatives are sufficient for the size and complexity of the bank.\n\nChanges in External Auditors. Half of the banks reviewed had multiple changes in the banks\xe2\x80\x99\ndesignated external auditors; however, the reasons for the changes provided in the ROEs were\nnot always noted or fully investigated. The six banks reviewed had a total of 18 changes in the\nbanks\xe2\x80\x99 designated external auditors. No reasons were provided in the ROEs for 13 out of the\n18 changes. Explanations for the changes in the banks\xe2\x80\x99 external auditors were provided in five\ncases; however, the source of the information was not always stated in the ROEs. In two cases,\nROEs stated that the source of the information was the bank\xe2\x80\x99s president. Examiners did not\nreference the bank\xe2\x80\x99s auditors or audit committee minutes as a source of information. An\nassessment of the bank\xe2\x80\x99s decision-making process that referenced the audit committee minutes\nalso was not evident. One bank, in particular, was subject to the FDIC\xe2\x80\x99s Rules and Regulations,\nPart 363, Annual Independent Audits and Reporting Requirements. One of the bank\xe2\x80\x99s external\nauditor changes was prompted by the auditor\xe2\x80\x99s termination of the contractual agreement, but no\nreason was provided in the ROE. In accordance with Part 363 guidelines, the reasons for the\nresignation of the external auditor should have been submitted in writing to the regional office\n15 days after the relationship was terminated by both the bank and the independent public\naccountant. If written notices had been provided to the regional office, they were not cited in the\nROE.\n\nRelated FDIC Guidance\n\nThe DSC Manual states that \xe2\x80\x9cThe FDIC encourages communication between its examiners and\nexternal auditors with the permission of an institution\xe2\x80\x99s management.\xe2\x80\x9d Banks that are subject to\nPart 363 of the FDIC\xe2\x80\x99s Rules and Regulations must provide written notice to the FDIC regarding\nthe engagement of an independent public accountant, the resignation or dismissal of a previously\nengaged accountant, and the reasons for such an event. In addition, an independent public\naccountant must notify the FDIC when it ceases to be the accountant for an insured depository\ninstitution. The notification must be in writing, be filed within 15 days after the relationship is\nterminated, and contain the reasons for the termination.\n\nThe Management ED Module instructs examiners to determine whether changes in external\nauditors or legal counsel occurred and why.\n\n\n\n\n                                                23\n\x0c                                                                                      APPENDIX II\n\nCode of Conduct and Conflicts of Interest Policies\n\nExaminers\xe2\x80\x99 reviews of the banks\xe2\x80\x99 code of conduct and conflicts of interest policies were\ninconsistent. Significant conflicts and apparent violations were evident, despite the policies at\nsome of the banks.\n\nThe presence of a dominant official increases the potential risk of fraud and insider abuses and\nthat these actions may go undetected. In these circumstances, it is essential to have policies and\nsystematic controls in place that deter unethical behavior.\n\nInconsistencies were evident in the review process. For example, at one bank, examiners\nidentified, in a timely manner, the establishment of formal code of conduct and conflicts of\ninterest policies as early as 1994. In another bank, however, examiners did not recommend that\nformal policies be developed until 2002. In some cases, the general identification of policy\nweaknesses coincided with concerns over potential insider abuse. Furthermore, in a few banks,\nthat had code of conduct and conflicts of interest policies, potential insider abuses were noted in\nthe ROEs. We noted no discussion concerning the need for banks to implement a BOD\xe2\x80\x99s annual\nconflicts of interest and ethics review; DSC has not established a related requirement.\n\nThe benefit of establishing written code of conduct and conflicts of interest policies is that they\nwill help to communicate and reinforce the foundation of a bank\xe2\x80\x99s corporate culture and ethics.\nIn addition, assigning personal responsibility to the BOD or to a select committee by requiring an\nannual BOD\xe2\x80\x99s review will help to instill awareness of and accountability for potential conflicts\nof interest and ethical issues. Furthermore, a corporate culture that is based on valuing personal\nintegrity in its code of conduct, ethics policies, and actions will help to limit the risk of fraud and\ninsider abuse and, ultimately, the risk to the insurance funds.\n\nRelated FDIC Guidance\n\nThe DSC Manual suggests that examiners review a bank\xe2\x80\x99s written code of conduct and that\nexaminers determine whether a policy covers conflicts of interest. The DSC Manual states, in\npart, that the early detection of apparent fraud and insider abuse is an essential element in\nlimiting risk and that \xe2\x80\x9cCorporate Culture/Ethics\xe2\x80\x9d is one such area in which potential problems\nmay exist. The DSC Manual also states that the \xe2\x80\x9cAbsence of a written code of conduct may\nmake it difficult to discipline directors, officers or employees who may be involved in\nquestionable activities.\xe2\x80\xa6\xe2\x80\x9d\n\nThe DSC Manual provides examiners with a list of \xe2\x80\x9cWarning Signs\xe2\x80\x9d in relation to the existence\nof potential problems surrounding a bank\xe2\x80\x99s corporate culture/ethics including, but not limited to,\nthe absence of a code of ethics; lack of oversight by the institution\'s BOD, particularly outside\ndirectors; and the lack of management independence in acting on recommended corrective\nactions. The DSC Manual instructs examiners to inquire into bank policies and procedures\ndesigned to bring conflicts of interest to the attention of the BOD when it is asked to approve\n\n                                                  24\n\x0c                                                                                                  APPENDIX II\n\nloans or other transactions in which an officer, director, or principal stockholder may be\ninvolved. Examiners are also instructed to scrutinize any loan or other transaction in which an\nofficer, director, or principal stockholder is involved.\n\nThe Management ED Module instructs examiners to review a bank\xe2\x80\x99s code of conduct and the\nbank\xe2\x80\x99s specific guidelines concerning conflicts of interest. The module also instructs examiners\nto determine whether the BOD appropriately monitors and manages conflicts of interest between\nthe institution and its directors, management, principal shareholders and affiliates, including\nconflicts arising from transactions between the institution and an associated person. In addition,\nexaminers are instructed to determine if management adequately addresses integrity in its code\nof conduct, ethics policy, and actions. Examiners are also directed to determine the\nappropriateness of salary levels and compensation arrangements for both the BOD and executive\nmanagement and whether self-serving practices or conflicts of interest exist and adequate\nsystems are in place to monitor and manage these conflicts of interest. The Management ED\nModule\xe2\x80\x99s expanded analysis section states examiners are to determine why an ethics policy has\nnot been adopted.\n\nExternal and Internal Loan Review\n\nExaminers generally recognized the absence or inadequacies of the banks\xe2\x80\x99 loan review programs;\nhowever, sufficient and timely actions were not taken to substantially improve the loan oversight\nprocess.\n\nWhen a dominant official controls the loan review process, the potential risk is greater that the\nbank\xe2\x80\x99s financial condition and performance could be distorted, that the timely recognition of loss\ncould be delayed, that the allowance for loan and lease losses (ALLL)29 could be underfunded,\nand that the recognition of loan administration and collection deficiencies could be delayed\nand/or go undetected. Thus, delaying and/or preventing timely corrective action could escalate\nthe problems and risks over time.\n\nFive of the six banks reviewed were routinely criticized by examiners as having an inadequate\ninternal loan review program. In two of these banks, examiners recommended that an external\nloan review be performed; one bank complied with the recommendation, and one did not. One\nrecommendation was presented in a State Safety and Soundness Compliance Plan, and the other\nrecommendation was presented in a C&D Order. Both of these recommendations were made\nafter the bank\xe2\x80\x99s asset quality had significantly deteriorated. Also of note, in three of the six\nbanks, bank management reportedly outsourced the internal loan review process to an external\nagency. This process was initiated as early as 1998 and as late as 2002. Based on a review of\nthe ROEs, examiners inconsistently recognized and described the existing loan review program.\nIn particular, a few ROE comments and the corresponding examiner analysis appeared to have\n\n\n29\n  Federally insured depository institutions must maintain an ALLL at a level that is adequate to absorb the\nestimated credit losses associated with the loan and lease portfolio.\n                                                         25\n\x0c                                                                                                APPENDIX II\n\nconfused an external loan review with an outsourced internal loan review process. Nevertheless,\nat all of the banks reviewed, the loan review functions were either nonexistent or largely\ncontrolled by the dominant official.\n\nIn one bank, the examiners made recommendations as early as 1993 to improve the loan review\nprocess. In 1999, the examiners reported that the bank did not have a formal loan review\nfunction. By 2003, the examiners observed that a loan review officer had not been appointed and\nthat the board minutes did not indicate that a loan review committee had been established. In\naddition, despite a provision from a 1999 Safety and Soundness Compliance Plan that required\nan external loan review be conducted by an outside consultant, there is no evidence to suggest\nthat this external loan review was conducted. In another bank, over a 10-year period, examiners\nrepeatedly identified loan review weaknesses and repeatedly recommended improvements to the\nbank\xe2\x80\x99s loan review process. In 2002, the bank\xe2\x80\x99s internal loan review was reported as being\noutsourced to an external company that was performing only an annual review. Although\nexaminers did not recognize this as a concern, an internal loan review process conducted on an\nannual basis should not be considered timely or sufficient. In 2003, examiners reported that the\nbank\xe2\x80\x99s ALLL was underfunded and that the BOD was unaware of the extent of the loan\nportfolio\xe2\x80\x99s problems. Examiners also reported that the BOD and others placed too much reliance\non the representations of former management and loan grades assigned by loan officers.\nFurthermore, examiners reported that the extent of the bank\xe2\x80\x99s collections problems had only\nrecently become apparent.\n\nWhen a dominant official controls a bank and the loan review process, the risk of undue\ninfluence can be mitigated by the establishment of a loan review program that consists of an\nindependent internal loan review and oversight process and by the performance of an external\nloan review by an outside consultant. An internal loan review program is essential; however, an\nindependent assessment of the loans by a third party consultant can provide an additional level of\nrisk protection.\n\nRelated FDIC Guidance\n\nAccording to the DSC Manual, \xe2\x80\x9cit is essential that all institutions maintain an effective loan\nreview system.\xe2\x80\x9d30 In particular, an effective loan review system is expected, in part, to provide\nthe BOD and senior management with an objective assessment of the overall portfolio quality.\nFurthermore, \xe2\x80\x9cManagement should ensure that, when feasible, all significant loans are reviewed\nby individuals that are not part of or influenced by anyone associated with, the loan approval\nprocess.\xe2\x80\x9d The DSC Manual provides that the complexity and scope of a bank\xe2\x80\x99s loan review\nsystem will vary based upon an institution\'s size, type of operations, and management practices.\n\n\n30\n  The DSC Manual states, \xe2\x80\x9cThe term loan review system refers to the responsibilities assigned to various areas such\nas credit underwriting, loan administration, problem loan workout, or other areas. Responsibilities may include\nassigning initial credit grades, ensuring grade changes are made when needed, or compiling information necessary to\nassess the adequacy of the ALLL.\xe2\x80\x9d\n                                                        26\n\x0c                                                                                                 APPENDIX II\n\nThe DSC Manual also states that \xe2\x80\x9cSystems may include components that are independent of the\nlending function, or may place some reliance on loan officers. Although smaller institutions are\nnot expected to maintain separate loan review departments, it is essential that all institutions\nmaintain an effective loan review system.\xe2\x80\x9d\n\nThe primary component of an effective loan review system is accurate and timely credit\ngrading.31 The DSC Manual states:\n\n        Credit grading systems often place primary reliance on loan officers for identifying\n        emerging credit problems. However, given the importance and subjective nature of credit\n        grading, a loan officer\'s judgment regarding the assignment of a particular credit grade\n        should generally be subject to review. Reviews may be performed by peers, superiors, or\n        loan committee(s), or by other internal or external credit review specialists. Credit\n        grading reviews performed by individuals independent of the lending function are\n        preferred because they often provide a more conservative assessment of credit quality.\n\nThe ED Module: Loan Portfolio Management and Review: General (Loan ED Module)\ninstructs that examiners review internal and external loan review reports as well as other reports\nprovided by third party sources. Examiners are instructed, in part, to determine that the bank\xe2\x80\x99s\naudit program is sufficient to obtain reasonable assurance that loans are properly classified,\ndescribed, and disclosed in the financial statements, including fair values of loans and\nconcentrations of risk. The Loan ED Module also instructs examiners to ascertain whether the\nloan review practices are adequate for the size and complexity of the bank. Examiners are\ndirected, in part, to verify that the loan review function provides senior management and the\nBOD with an objective and timely assessment of the overall quality of the loan portfolio.\n\n\n\n\n31\n  The DSC Manual states, \xe2\x80\x9cCredit grading involves an assessment of credit quality, the identification of problem\nloans, and the assignment of risk ratings.\xe2\x80\x9d\n                                                        27\n\x0c                                                                                APPENDIX III\n\n             ANALYSIS OF THE MANAGEMENT COMPONENT RATING\n\nWe generated a sample of all state nonmember safety and soundness examinations that were\nconducted from January 1, 2001 to September 30, 2003. We collected CAMELS data on 11,389\nexaminations conducted at state nonmember banks by both the FDIC and state regulators.\nTable 1 below shows the percentage of occurrences in which a CAMELS component rating was\nthe same as the CAMELS composite rating.\n\n                    Table 1: CAMELS Component Rating Equals the\n                    CAMELS Composite Rating\n\n                      CAMELS Components            CAMELS Component\n                                                     Rating Equals\n                                                    Composite Rating\n                     Capital                              72%\n                     Assets                               72%\n                     Management                          86%\n                     Earnings                             64%\n                     Liquidity                            63%\n                     Sensitivity                          70%\n\n\nThe results of our analysis indicate that the Management component rating is more closely linked\nto the overall CAMELS composite rating than the other five component ratings. This supports\nDSC\xe2\x80\x99s philosophy with respect to rating bank management. As stated in the DSC Manual:\n\n       \xe2\x80\xa6 a bank\'s performance with respect to asset quality and diversification, capital\n       adequacy, earnings capacity and trends, and liquidity and funds management is, to a very\n       significant extent, a result of decisions made by the bank\'s directors and officers.\n       Consequently, examiners\' findings and conclusions in regard to the other five elements of\n       the CAMELS rating system are often major determinants of the management rating.\n\n\n\n\n                                              28\n\x0c                                                                                                      APPENDIX IV\n\n                            PROFILES OF STATE NONMEMBER BANKS\n\nAs of February 29, 2004, eight state nonmember banks had been assigned a CAMELS composite\nrating of \xe2\x80\x9c5.\xe2\x80\x9d Five of these institutions are supervised by the DSC Chicago Regional Office, two\ninstitutions are supervised by the DSC Dallas Regional Office, and one institution is supervised\nby the DSC San Francisco Regional Office. The six open state nonmember banks with a\ncomposite rating of \xe2\x80\x9c5\xe2\x80\x9d that we selected and analyzed are profiled in Table 2 below:\n\nTable 2: Profiles of State Nonmember Banks Rated a CAMELS Composite \xe2\x80\x9c5\xe2\x80\x9d\n         (1993\xe2\x80\x932003)\n   Bank           Years of a        Years of a       Total Asset Rangea              Main Loan Product Lines\nDesignation       \xe2\x80\x9c3\xe2\x80\x9d to \xe2\x80\x9c5\xe2\x80\x9d        \xe2\x80\x9c3\xe2\x80\x9d to \xe2\x80\x9c5\xe2\x80\x9d         ($ in Millions)                 (11-Year Average)\n                 Management         Composite         Low         High\n                    Rating           Rating\n   Bank A        1993 to 1994,        2003           Under        Under      1-4 Family Residential Properties (30%),\n                   1996, and                         $100         $200       Loans to Individuals (21%), Commercial\n                 2001 to 2003                                                and Industrial (17%), Non-Farm Non-\n                                                                             Residential (13%), and Farmland (10%).\n\n   Bank B        1993,b 1997,       1993, b and      Under        Under      1-4 Family Residential Properties (37%),\n                 and 1999 to       1999 to 2003      $100         $100       Loan to Individuals (26%), Non-Farm\n                    2003                                                     Non-Residential (9%), Farmland (9%),\n                                                                             Agricultural (9%), and Commercial and\n                                                                             Industrial (9%).\n\n   Bank C        1994, 1998 to     1999 to 2000,     Under        Under      (1-4 Family Residential Properties (39%),\n                  2000, b and      b\n                                     and 2001 to     $100         $200       Non-Farm Non-Residential (24%),\n                 2001 to 2003          2003                                  Commercial and Industrial (24%), and\n                                                                             Multifamily Residential (10%).\n\n   Bank D        1993 to 1994,     1993 to 1994,     Under        Under      Agricultural (77%), Farmland (10%), and\n                  and 1999 to       and 2001 to      $50          $50        Loans to Individuals (10%).\n                     2003              2003\n   Bank E        2001 to 2003      2001 to 2003      Under        Under      Commercial and Industrial (28%), 1-4\n                                                     $150         $700       Family Residential Properties (24%),\n                                                                             Non-Farm Non-Residential (20%), and\n                                                                             Lease Financing Receivables (13%).\n\n   Bank F         1994, and        1998 to 2003      Under        Under      Commercial and Industrial (30%), Loans\n                 1997 to 2003                        $50          $50        to Individuals (29%), and 1-4 Family\n                                                                             Residential Properties (28%).\n\nSource: OIG Analysis of Uniform Bank Performance Reports and the FDIC\xe2\x80\x99s online resources. Averages were based on year-\nend computations.\na\n  These ranges were derived from the lowest and highest levels achieved in total assets for the years ended 1993 to 2003.\nb\n  During the year, the rating was subsequently upgraded.\n\n\n\n\n                                                             29\n\x0c                       APPENDIX V\n\n\n\nCORPORATION COMMENTS\n\x0c     APPENDIX V\n\n\n\n\n31\n\x0c                                                                                                                                                  APPENDIX VI\n                                                MANAGEMENT RESPONSE TO RECOMMENDATIONS\n     This table presents the management response on the recommendations in our report and the status of the recommendations as of the\n     date of report issuance.\n                                                                                                                                                              Open\n      Rec.                                                                      Expected             Monetary       Resolved:a     Dispositioned:b             or\n     Number            Corrective Action: Taken or Planned/Status            Completion Date         Benefits       Yes or No        Yes or No               Closedc\n                      DSC will review the guidance for the pre-\n           1          examination review process to ensure that it is\n                      clear that the risk factor related to the existence    December 31, 2004           N/A            Yes               No                  Open\n                      of a dominant official be considered and\n                      included in the planning process. DSC will\n                      recommend to the Interagency ED Module\n                      Maintenance Committee that a specific\n                      requirement to \xe2\x80\x9cconsider the impact of the\n                      existence of a dominant official\xe2\x80\x9d be added to the\n                      Risk Scoping Module.\n32\n\n\n\n\n                      DSC will update coverage in the DSC Manual\n           2          to emphasize the existence of a dominant\n                      official as a risk factor.                                March 31, 2005           N/A            Yes               No                  Open\n     a\n         Resolved \xe2\x80\x93        (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n                           (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n                           (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as\n                               long as management provides an amount.\n     b\n       Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved\n     through implementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the\n     recommendation.\n     c\n         Once the OIG dispositions the recommendation, it can then be closed.\n\x0c'